FireDaemon Fusion is a web application that allows you to control and manage FireDaemon Pro and Windows system services remotely via your web browser. FireDaemon Fusion deploys a self-signed TLS / SSL certificate. This guide will show you how to protect FireDaemon Fusion's web interface with a self-signed or Certificate Authority Signed SSL certificate.


FireDaemon Fusion SSL Key Setup/Integration guide

First off, download FireDaemon Fusion. There are 4 ways to create an SSL certificate: Self Signed Easy, Self Signed Hard, Let's Encrypt, and Certificate Authority.


Note 1: The easy and hard ways will display an SSL warning message whenever you view your Fusion page. If you do not want to see this warning message, then you will need to buy an SSL certificate from a Certificate Authority.


Note 2: If you choose to password-protect your SSL .key file, then please take note of the password as you will need it later in this guide. Also, don't forget the password as there is no way to recover it if you forget it!


Easy Way - less control over certificate details

  1. Go to http://www.selfsignedcertificate.com
  2. If the server running Fusion has a DNS domain name associated with its IP, then enter your domain name in the text box and click "Generate", otherwise enter the server's IP and click "Generate".
  3. Download the .key and .cert files to your desktop (or somewhere else easily accessible).
  4. Combine the .key and .cert files you downloaded in step 3. To do this, use a text editor like notepad and paste the contents of both files into a new file named Fusion.pem (not Fusion.pem.txt)
    • IMPORTANT: The format for Fusion.pem must be:
      -----BEGIN CERTIFICATE-----
      *certificate in here*
      -----END CERTIFICATE-----
      -----BEGIN RSA PRIVATE KEY-----
      *rsa key in here*
      -----END RSA PRIVATE KEY-----
  5. Continue to "FireDaemon Fusion SSL Integration" section to get your SSL certificate working with FireDaemon Fusion.

Hard Way - more control over certificate details

  1. Download FireDaemon's OpenSSL binary distribution and deploy it per the instructions on the web page
  2. Open a command window (Windows key + R and type "cmd" then enter key.). Type the following commands to generate the keys. You can enter a password during key creation.
    • set OPENSSL_CONF=C:\OpenSSL\ssl\openssl.cnf
    • C:\OpenSSL\x64\bin\openssl genrsa -out server.key 2048
    • C:\OpenSSL\x64\bin\openssl req -new -key server.key -out server.csr -sha256
    • C:\OpenSSL\x64\bin\openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  3. Combine the .key and .cert files you created in step 2. To do this, use a text editor like notepad and paste the contents of both files into a new file named Fusion.pem (not Fusion.pem.txt)
    • IMPORTANT: The format for Fusion.pem must be:
      -----BEGIN CERTIFICATE-----
      *certificate in here*
      -----END CERTIFICATE-----
      -----BEGIN RSA PRIVATE KEY-----
      *rsa key in here*
      -----END RSA PRIVATE KEY-----
  4. Continue to "FireDaemon Fusion SSL Integration" section to get your SSL certificate working with FireDaemon Fusion.

Obtaining a certificate with Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority created by the Electronic Frontier Foundation. While Certbot, the recommended Let's Encrypt client, is not fully supported in Windows, you may use other compatible clients. This guide will detail instructions using the ACMESharp shell client.

  1. Follow the steps in the ACMESharp guide to install ACMESharp and obtain a certificate. For step 5, we recommend validating your domain via DNS (Method #3).
  2. Once your domain has been marked as valid, you can retrieve the certificate by following the instructions in the ACMESharp guide.
  3. Combine the .key and .cert files you created in step 2. To do this, use a text editor like notepad and paste the contents of both files into a new file named Fusion.pem (not Fusion.pem.txt)
    • IMPORTANT: The format for Fusion.pem must be:
      -----BEGIN CERTIFICATE-----
      *certificate in here*
      -----END CERTIFICATE-----
      -----BEGIN RSA PRIVATE KEY-----
      *rsa key in here*
      -----END RSA PRIVATE KEY-----
  4. Continue to "FireDaemon Fusion SSL Integration" section to get your SSL certificate working with FireDaemon Fusion.

The best but not free - official Certificate Authority

  1. Go to a Certificate Authority such as Name Cheap (certificates start at around $8 per year).
  2. You will need to generate a CSR (Certificate Signing Request). You can do this with OpenSSL.
  3. Download FireDaemon's OpenSSL binary distribution 
  4. Open a command window (Windows key + R and type "cmd" then enter key). Type the following commands to generate the data:
    • set OPENSSL_CONF=C:\OpenSSL\ssl\openssl.cnf 
    • C:\OpenSSL\x64\bin\openssl genrsa -out server.key 2048
    • C:\OpenSSL\x64\bin\openssl req -new -key server.key -out server.csr -sha256
  5. Then follow the directions at whichever Certificate Authority you chose.
  6. Once your Certificate Authority has processed your payment and created the certificate, it will be emailed to you.
  7. Combine the .key and .cert files you received in step 6. To do this, use a text editor like notepad and paste the contents of both files into a new file named Fusion.pem (not Fusion.pem.txt)
    • IMPORTANT: The format for Fusion.pem must be:
      -----BEGIN CERTIFICATE-----
      *certificate in here*
      -----END CERTIFICATE-----
      -----BEGIN RSA PRIVATE KEY-----
      *rsa key in here*
      -----END RSA PRIVATE KEY-----
  8. If your Certificate Signing Authority uses alternate root or intermediate certificates, ensure they are pasted at the start of the text file (e.g. Positive SSL will send you your signed public key plus a Root CA Certificate (AddTrustExternalCARoot.crt) and an Intermediate CA Certificate - PositiveSSLCA2.crt
  9. Continue to the section below to get your SSL certificate working with FireDaemon Fusion.

FireDaemon Fusion SSL Integration

By default Fusion installs to "C:\Program Files (x86)\FireDaemon Fusion" so for the purposes of this Guide, we will use that directory. Take the following steps to enable SSL in FireDaemon Fusion.
  1. Copy your combined certificate file to the installation directory
  2. Next, log into Fusion and go to the Options tab
  3. Scroll down until you find the SSL section
  4. Check the "Use SSL" checkbox
  5. If your SSL certificate has a password enter it here
  6. Save your settings
  7. Now navigate to the Fusion installation directory and edit the file called "FusionServices.xml".
  8. Near the middle of the file, find:


<Ssl>
<Key></Key>
<Passphrase></Passphrase>
</Ssl>


And replace with:

<Ssl>
<Key>MyCertificateFile.pem</Key>
<Passphrase>InsertPassphraseHashHere</Passphrase>
</Ssl>


MyCertificateFile.pem is the name of the certificate file you previously copied. The Passphrase can only be entered via the Fusion Options tab at this time and is not user generatable. However, if you have a wildcard certificate and have the certificate installed in another installation you can simply copy the hash from another installation. Note that a passphrase is entirely optional and can be omitted. Save this file.


Now restart the "FireDaemon Fusion" service via FireDaemon Pro or the Windows Services applet.


You're done! Visit https://my-ip-or-server:myport to start accessing FireDaemon Fusion with SSL. If you try going to http while https is enabled (and vice versa), nothing will display; you will just see a blank page or your page will time out.


Caveats and Issues

When you try and start Fusion and the port is in use, Fusion will not be able to start and you will see the following error in the Fusion debug log:

ERROR 2013-08-05 21:48:50,610 [01bb0] WebServer net::TCPServer::start - Unable to bind to port 443: bind: An attempt was made to access a socket in a way forbidden by its access permissions
INFO 2013-08-05 21:48:50,610 [01bb0] pion __stdcall SvcMain - Catched Service mode exception
FATAL 2013-08-05 21:48:50,610 [01bb0] pion __stdcall SvcMain - bind: An attempt was made to access a socket in a way forbidden by its access permissions


If the passphase is wrong you will get a connection reset and see the following error if the debug log:

DEBUG 2013-08-05 21:54:37,241 [00f9c] WebServer net::TCPServer::handleAccept - New SSL connection on port 8443
WARN 2013-08-05 21:54:37,251 [00f9c] WebServer net::TCPServer::handleSSLHandshake - SSL handshake failed on port 8443 (no shared cipher)
DEBUG 2013-08-05 21:54:37,251 [00f9c] WebServer net::TCPServer::finishConnection - Closing connection on port 8443


If the passphrase is completely missing and one is required you will get a connection denied and no errors in the event log and you might have to kill the FireDaemonFusion.exe process.


Here's an example of a successful connection message:

INFO 2013-08-05 22:01:43,229 [01594] WebServer net::TCPServer::start - Server IP 0.0.0.0
INFO 2013-08-05 22:01:43,229 [01594] WebServer net::TCPServer::start - Starting server on port 443
DEBUG 2013-08-05 22:01:43,229 [01594] FileService plugins::FileService::start - Starting up resource ()
DEBUG 2013-08-05 22:01:43,229 [01594] FileService plugins::FileService::start - Starting up resource (/Content)
INFO 2013-08-05 22:01:43,229 [01594] PionScheduler PionSingleServiceScheduler::startup - Starting thread scheduler
INFO 2013-08-05 22:01:43,230 [01594] pion __stdcall SvcMain - SvcMain: starting shutdown manager
DEBUG 2013-08-05 22:01:45,112 [01308] pion __stdcall SvcCtrlHandler - SvcCtrlHandler: SERVICE_CONTROL_INTERROGATE
DEBUG 2013-08-05 22:01:45,112 [01308] pion __stdcall SvcCtrlHandler - SvcCtrlHandler: call ReportSvcStatus
DEBUG 2013-08-05 22:01:45,113 [01308] pion __cdecl ReportSvcStatus - ReportSvcStatus: 4, Exit code: 0, Wait: 0
DEBUG 2013-08-05 22:02:06,367 [00dd8] WebServer net::TCPServer::handleAccept - New SSL connection on port 443
DEBUG 2013-08-05 22:02:06,985 [016e4] WebServer net::TCPServer::handleSSLHandshake - SSL handshake succeeded on port 443
DEBUG 2013-08-05 22:02:06,985 [00dd8] WebServer net::TCPServer::finishConnection - Closing connection on port 443